b'                             AUDIT OF SBA\xe2\x80\x99S\n                     INFORMATION SYSTEMS CONTROLS\n                            FISCAL YEAR 2003\n                        AUDIT REPORT NUMBER 4-19\n\n                                     APRIL 29, 2004\n\n\n\n\nThis report may contain proprietary information subject to the provisions of 18 USC 1905 and\nmust not be released to the public or another agency without permission of the Office of\nInspector General.\n\x0c                        U.S. SMALL BUSINESS ADMINISTRATION\n                            OFFICE OF INSPECTOR GENERAL\n                                WASHINGTON, D.C. 20416\n\n                                                                      AUDIT REPORT\n\n                                                              Issue Date: April 29, 2004\n                                                              Number: 4-19\n\n\nTo:            Stephen D. Galvan\n               Chief Operating Officer\n               Chief Information Officer\n\n               Thomas A. Dumaresq\n               Chief Financial Officer\n\n                      /S/\nFrom:          Robert G. Seabrooks\n               Assistant Inspector General for Auditing\n\nSubject:       Audit of SBA\xe2\x80\x99s Information Systems Controls for FY 2003\n\n       Attached is the audit report on SBA\xe2\x80\x99s Information Systems Controls for FY 2003 issued\nby Cotton & Company LLP as part of the audit of SBA\xe2\x80\x99s FY 2003 financial statements. The\nauditors reviewed the general and application controls over SBA\xe2\x80\x99s financial management\nsystems to determine if those controls complied with various Federal requirements.\n\n        General controls are the policies and procedures that apply to all or a large segment of an\nentity\xe2\x80\x99s information systems to help ensure their proper operation. General controls impact the\noverall effectiveness and security of computer operations rather than specific computer\napplications. Application controls are the structure, policies, and procedures that apply to\nseparate, individual application systems, such as accounts payable, inventory, payroll, grants, or\nloans. Application controls help ensure that transactions are valid, properly authorized, and\ncompletely and accurately processed by the computer. Federal requirements for general and\napplication controls include Office of Management and Budget Circular A-130, Security of\nFederal Automated Information Resources and the Computer Security Act of 1987.\n\n        The auditors concluded that SBA continued to make progress in implementing its\ninformation systems security program, but that improvements are still needed. The report\ndescribes areas where controls can be strengthened, such as: (1) entity-wide security program\ncontrols, (2) access controls, (3) application software development and program change controls,\n(4) system software controls, (5) segregation of duty controls, and (6) service continuity controls.\nThe report also provides recommendations for strengthening controls in these areas.\n\x0c       SBA generally agreed with the auditor\xe2\x80\x99s findings and recommendations with the\nexception of finding 3B on SBA\xe2\x80\x99s Credit Reform Models. A determination as to the level of\ndocumentation required for the Credit Reform Models will be addressed in the audit resolution\nprocess.\n\n       The findings in this report are based on the auditors\xe2\x80\x99 conclusions and the report\nrecommendations are subject to review, management decision and action by your office(s),\nin accordance with existing Agency procedures for follow-up and resolution.\n\nPlease provide us your proposed management decisions within 30 days on the attached SBA\nForms 1824, Recommendation Action Sheet. If you disagree with the recommendations, please\nprovide your reasons in writing.\n\nShould you or your staff have any questions, please contact Jeffrey A. Brindle, Director,\nInformation Technology and Financial Management Group at (202) 205-[FOIA Ex. 6].\n\nAttachments\n\x0c                      COTTON&COMPANY LLP\n                                               auditors \xe2\x80\xa2 advisors\n\n333 North Fairfax Street \xe2\x80\xa2 Suite 401 \xe2\x80\xa2 Alexandria, Virginia 22314 \xe2\x80\xa2 703/836/6701 \xe2\x80\xa2 FAX 703/836/0941 \xe2\x80\xa2 WWW.COTTONCPA.COM\n\n                                                January 29, 2004\n\n\n                          AUDIT OF INFORMATION SYSTEM CONTROLS\n                        FISCAL YEAR 2003 FINANCIAL STATEMENT AUDIT\n                             U.S. SMALL BUSINESS ADMINISTRATION\n\n\n\n Inspector General\n U.S. Small Business Administration\n\n  We were engaged to audit the financial statements of the U.S. Small Business Administration\n  (SBA) as of and for the years ended September 30, 2003, and 2002, and have issued our report\n  thereon dated January 28, 2004, in which we disclaimed an opinion on those financial statements.\n  These financial statements are the responsibility of SBA\'s management.\n\n  In planning and performing our work, we considered SBA\'s internal control over financial\n  reporting by obtaining an understanding of SBA\'s internal control, determining if internal control\n  had been placed in operation, assessing control risk, and performing tests of control. We limited\n  our internal control testing to those controls necessary to achieve objectives described in Office of\n  Management and Budget (OMB) Bulletin No. 01-02, Audit Requirements for Federal Financial\n  Statements. We did not test all internal controls relevant to operating objectives as broadly\n  defined by the Federal Managers\' Financial Integrity Act of 1982, such as those controls relevant\n  to ensuring efficient operations. The objective of our work was not to provide assurance on\n  internal control. Consequently, we do not provide an opinion on internal control.\n\n Our consideration of internal control over financial reporting would not necessarily disclose all\n matters in internal control over financial reporting that might be reportable conditions. Under\n standards issued by the American Institute of Certified Public Accountants, reportable conditions\n are matters coming to our attention relating to significant deficiencies in the design or operation\n of internal control that, in our judgment, could adversely affect SBA\'s ability to record, process,\n summarize, and report financial data consistent with management assertions in the financial\n statements.\n\n  This report is intended solely for the information and use of SBA management.\n  We would like to express our appreciation to the SBA representatives who assisted us in\n  completing our work. They were always courteous, helpful, and professional.\n\n\n   Very truly yours,\n\n   COTTON & COMPANY LLP\n\n\n           /S/\n   Charles Hayward, CPA, CISA, CGFM\n\x0c                           AUDIT OF INFORMATION SYSTEM CONTROLS\n                        FISCAL YEAR 2003 FINANCIAL STATEMENT AUDIT\n                            U.S. SMALL BUSINESS ADMINISTRATION\n\n\nCotton & Company LLP was engaged to audit Fiscal Year (FY) 2003 and 2002 financial statements of\nthe U.S. Small Business Administration (SBA). As part of that work, we reviewed general and\napplication controls over SBA\xe2\x80\x99s information systems following guidance provided in the General\nAccounting Office\xe2\x80\x99s (GAO) Federal Information System Controls Audit Manual (FISCAM). FISCAM\nincorporates audit techniques and procedures to ensure adequate coverage of federal requirements and\nstandards established by:\n\n        \xe2\x80\xa2       Computer Security Act of 1987.\n\n        \xe2\x80\xa2       Clinger Cohen Act.\n\n        \xe2\x80\xa2       Federal Information Security Management Act (FISMA).\n\n        \xe2\x80\xa2       Office of Management and Budget (OMB) Circulars A-127 Financial Management\n                Systems, and A-130, Management of Federal Information Resources, Appendix III,\n                Security of Federal Automated Information Resources.\n\n        \xe2\x80\xa2       National Institute of Standards and Technology (NIST) standards and guidelines\n                contained in NIST\xe2\x80\x99s Federal Information Processing Publications (FIP Pubs) and in its\n                800 series Special Publications.\n\nThis report contains the results of our review and recommendations for improvements. Control\nweaknesses discussed herein have been reported in SBA\xe2\x80\x99s FY 2003 financial statement internal control\nreport as a reportable condition.\n\nBACKGROUND\n\nGeneral controls are the policies, procedures, and practices that apply to all or a large segment of an\nentity\xe2\x80\x99s information systems to help ensure their proper operation. They impact the overall effectiveness\nand security of computer operations, rather than specific computer applications. GAO categorizes general\ncontrols as follows:\n\n        \xe2\x80\xa2       Entity-wide security program controls provide a framework and continuing cycle of\n                activity for managing risk, developing security policies, assigning responsibilities, and\n                monitoring the adequacy of computer-related controls.\n\n        \xe2\x80\xa2       Access controls limit or detect access to computer resources (data, program, equipment,\n                and facilities), thereby protecting these resources against unauthorized modification, loss,\n                and disclosure.\n\n        \xe2\x80\xa2       Application software development and program change controls prevent\n                implementation of unauthorized programs or modification to existing programs.\n\n        \xe2\x80\xa2       System software controls limit and monitor access to powerful programs and sensitive\n                files that control computer hardware and secure applications supported by the system.\n\x0c        \xe2\x80\xa2       Segregation-of-duty controls provide policies, procedures, and an organizational\n                structure to prevent one individual from controlling key aspects of computer-related\n                operations and thereby conducting unauthorized actions or gaining unauthorized access to\n                assets or records.\n\n        \xe2\x80\xa2       Service continuity controls ensure that when unexpected events occur, critical\n                operations continue without interruption or are promptly resumed, and critical and\n                sensitive data are protected from destruction.\n\nApplication controls are the structure, policies, and procedures that apply to separate, individual\napplication systems, such as accounts payable, inventory, payroll, grants, or loans. Application controls\nencompass both routines contained within the computer program code and policies and procedures\nassociated with user activities, such as manual measures performed by the user to determine if the\ncomputer accurately processed data. GAO categorizes application controls as follows:\n\n        \xe2\x80\xa2       Authorization controls are most closely aligned with the financial statement accounting\n                assertion of existence or occurrence. This assertion, in part, concerns the validity of\n                transactions and that they represent economic events that actually occurred during a given\n                period.\n\n        \xe2\x80\xa2       Completeness controls directly relate to the financial statement accounting assertion on\n                completeness, which deals with whether all valid transactions are recorded and properly\n                classified.\n\n        \xe2\x80\xa2       Accuracy controls directly relate to the financial statement assertion on valuation or\n                allocation. This assertion deals with whether transactions are recorded at correct\n                amounts. The control category, however, is not limited to financial information, but also\n                addresses the accuracy of other data elements.\n\n        \xe2\x80\xa2       Controls over integrity of processing and data files, if deficient, could nullify each of\n                the above control types and allow the occurrence of unauthorized transactions, as well as\n                contribute to incomplete and inaccurate data.\n\nSBA\xe2\x80\x99S INFORMATION SYSTEMS ENVIRONMENT\n\nSBA\xe2\x80\x99s financial management information system environment is decentralized. It is comprised of seven\nmajor components operated and maintained by SBA offices and external contractors, as described below.\n\n1.      Loan Accounting System (LAS), a set of mainframe programs that processes and maintains\n        accounting records and provides management reports for SBA\xe2\x80\x99s loan programs. The Office of the\n        Chief Information Officer (OCIO) is responsible for developing and maintaining LAS system\n        software and hardware. LAS is operated and maintained under contract for SBA by UNISYS at\n        its Eagan, Minnesota, facility.\n\n2.      Automated Loan Control System (ALCS), a mini-computer system maintained and operated at\n        each of SBA\xe2\x80\x99s four disaster area offices. ALCS tracks and processes disaster loan applications.\n        After loan approval, it interfaces with LAS to update SBA\xe2\x80\x99s loan records. The Office of Disaster\n        Assistance (ODA) operates ALCS and is responsible for developing and maintaining system\n        software and hardware.\n\n3.      Denver Finance Center (DFC) systems, a variety of specialized programs developed and\n        maintained by the Office of the Chief Financial Officer (OCFO). These programs perform\n\n                                                     2\n\x0c        various functions, such as exchanging data with SBA\xe2\x80\x99s business partners, processing and\n        maintaining disbursement and collection data, and interfacing with LAS.\n\n4.      Joint Accounting and Administrative Management System (JAAMS), a client-server\n        financial management system used by all SBA offices for administrative accounting functions.\n        The JAAMS server and database were operated and maintained under contract for SBA by\n        UNISYS at its Eagan, Minnesota, facility during FY 2003. The JAAMS production server and\n        database were relocated to a new third-party vendor, CORIO, Inc. in Tempe, Arizona, on\n        September 1, 2003. CORIO has a second facility in California housing the JAAMS test\n        environment.\n\n5.      Local- and Wide-Area Networks (LANs and WANs), communications systems maintained and\n        operated by all SBA offices. LANs and WANs provide gateways to LAS, ALCS, and JAAMS;\n        allow offices to share files and communicate electronically; permit the transfer of data among\n        systems; and provide Internet access. OCIO develops and disseminates guidance and procedures\n        for operation of these systems and periodically monitors to ensure compliance.\n\n6.      Surety Bond Guarantee (SBG) system, a client-server system developed and maintained by\n        OCIO. This system processes SBG program data and exchanges accounting information with\n        JAAMS.\n\n7.      Credit Reform and Subsidy Calculation System, a series of SAS and JAVA programs and\n        Microsoft Excel spreadsheets developed and maintained by OCFO used for calculating subsidy\n        rates supporting SBA\xe2\x80\x99s various direct and guarantee loan programs consisting of the Section 7(a),\n        Small Business Investment Company (SBIC) Program, Section 504, and Disaster assistance\n        loans, and SBA\xe2\x80\x99s secondary market guarantee program for pooled business loans accounted for in\n        the Master Reserve Fund (MRF).\n\nIn addition, SBA\xe2\x80\x99s financial management activities rely on systems developed, maintained, or operated by\nexternal parties, including CORIO, Inc., Colson Services Corporation, UNISYS, and the National Finance\nCenter (NFC), for processing and exchanging data related to functions, such as loan servicing and payroll.\nSBA also has acquired lock-box banking services from the Bank of America and other non-continental\ndomestic banks for processing checks on borrowers\xe2\x80\x99 loan payments; the banks provide this information\nelectronically to DFC.\n\nFY 2003 RESULTS\n\nSBA continued to improve internal control over its information system environment in certain areas\nduring FY 2003. Its major accomplishments this year include the following:\n\n        \xe2\x80\xa2       Conducted certification and accreditation reviews for additional major applications.\n        \xe2\x80\xa2       Continued roll out of the Windows 2000 operating system at various field locations.\n\nThese accomplishments were, however, overshadowed by:\n\n        \xe2\x80\xa2       Delays by SBA\'s program offices in implementing corrective actions to resolve prior-year\n                weaknesses.\n        \xe2\x80\xa2       Inadequate allocation of resources to support OCIO\xe2\x80\x99s security program to:\n\n                \xe2\x80\xa2       Effectively monitor day-to-day security operations.\n                \xe2\x80\xa2       Promote compliance with established security policies throughout SBA.\n\n\n                                                    3\n\x0cIn the remainder of this report, we discuss results of our FY 2003 review and the status of management\nactions to address prior-year recommendations and new weaknesses identified in FY 2003. We also\npresent our recommendations for improvements. This report includes the following attachments:\n\n                Number      Title\n                  1         FY 2003 Summary of Results\n                  2         Status of Prior-Year Audit Recommendations\n                  3         Management Comments\n                  4         Network Analysis Results (Restricted Distribution and Use)\n\n\n1.       ENTITY-WIDE SECURITY PROGRAM CONTROLS\n\n\nEntity-wide security program planning and management provides a framework for managing risk,\ndeveloping security policies, assigning responsibilities, and monitoring the adequacy of an entity\xe2\x80\x99s\ncomputer-related controls. SBA\xe2\x80\x99s information system security program planning and management\ncontinued to have areas of weakness. Without an effective management control structure, control\nweaknesses throughout the information system and security infrastructure will continue, and specific\nactions to address weaknesses will continue to be ineffective. The cause of most control weaknesses\ndiscussed in this report can be traced to the weaknesses discussed in this segment of the report.\nWe identified the following entity-wide security program control weaknesses during our FY2003\nfinancial statement audit:\n\n     A. SBA\xe2\x80\x99s information system and security program did not provide assurance that the program\n        complied with requirements established by federal laws, regulations, and standards. Control\n        weaknesses identified in certification and accreditation reviews and audit reports were not\n        resolved in a timely manner. Additionally, OCIO did not have procedures in place to ensure the\n        effectiveness of controls to preclude reoccurrence of conditions. OCIO technical personnel were\n        not provided technical training to enable personnel to successfully carry out their duties and\n        responsibilities, and personnel technical training requirements were not strategically aligned with\n        SBA\'s technology strategic plan.\n\n         Further, OCIO was not effectively participating in developing new systems in a timely manner to\n         ensure that system controls are properly designed and developed to provide adequate security;\n         and data reliability, completeness, and accuracy. OCIO had not developed the procedures to\n         fulfill its delegated responsibilities and provide technical leadership on system development\n         efforts initiated by other SBA program offices such as OCFO and ODA to ensure system\n         interrelationships and interfaces are properly and timely addressed to reduce manual transfer of\n         financial information.\n\n         OCIO had not fully resolved 15 conditions identified in prior year audits. This demonstrates that\n         SBA is not assigning a high priority to resolving audit recommendations and implementing\n         corrective actions, contrary to requirements stipulated in OMB Circular A-50, Audit Follow-up.\n\n         Management claimed that insufficient resources and higher priorities have impeded its ability to\n         implement all requirements established by the Computer Security Act, Clinger Cohen, FISMA,\n         OMB Circulars A-127 and A-130; and NIST standards.\n\n\n\n\n                                                     4\n\x0c     SBA received approval to reorganize OCIO effective December 31, 2003. The reorganization\n     will create two new offices: E-commerce and Information Security. OCIO will be a direct-report\n     to SBA\xe2\x80\x99s Administrator.\n\n     Recommendation 1A: We recommend that the SBA Administrator ensure that sufficient\n     resources are provided to enable OCIO to meet its responsibilities under the Clinger Cohen Act,\n     FISMA, and OMB Circulars A-50, A-127, and A-130.\n\n     Recommendation 1B: We recommend that the Chief Information Officer revise and enhance\n     existing policies and procedures to:\n\n             \xe2\x80\xa2     Ensure control weaknesses identified in certification and accreditation reviews and\n                   audit reports are resolved in a timely manner and ensure senior management is\n                   provided timely information regarding the progress towards implementing\n                   corrective actions,\n\n             \xe2\x80\xa2     Ensure OCIO monitoring controls are effective to preclude reoccurrence of\n                   previously noted weaknesses,\n\n             \xe2\x80\xa2     Ensure technical personnel are provided technical training to enable personnel to\n                   successfully carry out their duties and responsibilities,\n\n             \xe2\x80\xa2     Assure that technical skills are sufficient to meet new technical requirements prior\n                   to implementing new hardware and software, and\n\n             \xe2\x80\xa2     Ensure OCIO effectively participates in all phases of system development in a\n                   timely manner to ensure that system controls are properly designed and developed\n                   to provide adequate security; and data reliability, completeness, and accuracy for\n                   all significant system initiatives both within and outside of OCIO.\n\nB.   OCIO had not implemented procedures to monitor and report management\xe2\x80\x99s actions to address\n     and resolve weaknesses identified during system certification and accreditation reviews, audits,\n     and management reviews. OCIO did not monitor system owner implementation of corrective\n     actions to ensure that program offices address weaknesses identified during certification and\n     accreditation reviews in a timely manner. As a result, OCIO was not fully compliant with\n     FISMA, OMB circulars, and NIST standards.\n\n     Recommendation 1C: We recommend the Chief Information Officer, in conjunction with\n     system owners:\n\n     (1)     Develop policies and procedures to require system owners to provide plans of action to\n             OCIO for correcting weaknesses identified from audits, management reviews, and\n             certification and accreditation reviews.\n\n     (2)     Ensure that plans adequately address management actions to resolve or minimize\n             weaknesses in the short term while implementing longer term system corrective actions.\n             Develop reporting processes to follow-up on system owner corrective action plans.\n\n     (3)     Ensure that sufficient resources are made available to monitor system owner corrective\n             action plans.\n\n\n\n                                                 5\n\x0c2.      ACCESS CONTROLS\n\nPhysical and logical access controls should be designed to protect an agency\xe2\x80\x99s assets against unauthorized\nmodification, loss, destruction, and disclosure. During the FY 2003 controls review, we performed\nexternal and internal testing of the network and application access controls. We noted the following\naccess controls weaknesses:\n\nA.      Controls over the administration of network and financial application accounts were not effective.\n        OCIO developed and disseminated Procedural Notice 9000-1406 \xe2\x80\x9cRemoval of Old Computer\n        User Accounts\xe2\x80\x9d during FY2003 in response to our prior-year recommendation in this area\n        however, this procedural notice is not being followed by all parties. We identified administrators\n        not following established policies and procedures when adding or modifying accounts. Although\n        OCIO did not have administrative responsibilities for all systems and the network, it was\n        responsible for ensuring that all SBA program offices complied with OCIO security policy,\n        standards, and requirements.\n\n        We identified the following issues during our review of account administration at SBA\n        headquarters, DFC, Sacramento Disaster Area Office, and Fresno Commercial Loan Service\n        Center:\n\n\n                [FOIA Ex. 2]\n\n\n\n        Recommendation 2A: We recommend that the Chief Information Officer:\n\n        (1)     Implement procedures to ensure compliance with Procedural Notice 9000-1406\n                \xe2\x80\x9cRemoval of Old Computer User Accounts\xe2\x80\x9d\n\n        (2)     Require network security administrators to review all current network accounts to\n                identify and eliminate unnecessary accounts and require periodic documented reviews of\n                all generic network accounts to ensure that they are authorized and needed.\n\n        (3)     Provide resources sufficient to monitor and assess network administration activities to\n                ensure compliance with federal laws and regulations, SBA policies and procedures, NIST\n                guidance, and industry best practices.\n\n        (4)     In coordination with program directors, develop procedures for controlling contractor\n                personnel access to the network and applications. Procedures should be established to:\n\n                \xe2\x80\xa2       Require Contracting Officers\xe2\x80\x99 Technical Representatives (COTRs) to notify\n                        security administrators in writing of each contractor personnel needing a network\n                        and application account along with privileges to assign to the account.\n\n                \xe2\x80\xa2       Require all network and application accounts established for contractor personnel\n                        to be established with a renewal or termination date not to exceed one year or the\n                        length of the contract, whichever is less.\n\n        (5)     In coordination with OHCM, develop procedures for network and application security\n                administrators to receive notification of termination of SBA employees.\n\n\n                                                    6\n\x0c     B. [FOIA Ex. 2].\n\n\n        Recommendation 2B: We recommend that the Chief Financial Officer instruct the Director of\n        DFC to establish adequate physical security for routers by either moving the routers to a restricted\n        area where access is limited to only authorized individuals, such as the server room, or develop\n        compensating controls, such as constructing a security cage.\n\n     C. [FOIA Ex. 2].\n\n\n\n        Recommendation 2C: We recommend that the Chief Information Officer:\n\n        (1)       [FOIA Ex. 2]\n\n        (2)       Create new network accounts for non-headquarter network administrators with limited\n                  domain administrative privileges to add and delete users and add, delete, and modify\n                  objects within office Organization Units.\n\n        (3)       Develop and implement procedures to perform periodic reviews of highly-privileged\n                  accounts to assess the continuing need for accounts and privileges.\n\n3.      APPLICATION SOFTWARE DEVELOPMENT AND\n        PROGRAM CHANGE CONTROLS\n\nSBA\xe2\x80\x99s application software development and program change controls should be designed to prevent\nimplementation of unauthorized programs or modifications to existing programs. We noted the\nfollowing:\n\nA.      Change control policies and procedures for JAAMS and Financial Reporting Information System\n        (FRIS) are not being properly followed at DFC, because required signatures on SBA\xe2\x80\x99s System\n        Implementation Order/Change Control forms are missing.\n\n        Recommendation 3A: We recommend that the Chief Financial Officer require that OFM ensure\n        that all change control forms are complete before changes are released in the production\n        environment and signatures are present for all spaces provided.\n\nB.      OCFO\xe2\x80\x99s Credit Reform Models did not comply with change control policies, procedures and\n        documentation requirements in FASAB Technical Releases No. 3 and No. 6 or SBA system\n        development and program change control policies and procedures. This occurred because:\n\n              \xe2\x80\xa2   Actual changes to the formulas within Credit Reform Models were not tracked,\n              \xe2\x80\xa2   Change policies to the models were informal and were not rigorously followed,\n              \xe2\x80\xa2   Computations could not be reperformed, and\n              \xe2\x80\xa2   Documentation needed to support computations did not exist.\n\n        Federal Financial Accounting and Auditing Technical Release No. 3: Preparing and Auditing\n        Direct Loan and Loan Guarantee Subsidies under the Federal Credit Reform Act of 1990\n        (FCRA), also broadly requires agencies to maintain internal controls over models in each of the\n        following categories:\n\n                                                     7\n\x0c            \xe2\x80\xa2   Control environment\n            \xe2\x80\xa2   Risk assessment\n            \xe2\x80\xa2   Control activities\n            \xe2\x80\xa2   Information and communication\n            \xe2\x80\xa2   Monitoring\n\n        The OIG released Audit Report No. 3-39, Monitoring of SBA\xe2\x80\x99s Implementation of the Disaster\n        Credit Management System in September 2003; this report identified OCIO\xe2\x80\x99s non-compliance\n        with its SDLC policy and procedures relating to OCIO\xe2\x80\x99s lack of involvement with new systems\n        being developed.\n\n        Recommendation 3B: We recommend that the Chief Financial Officer formalize the change\n        control, testing, acceptance, documentation standards, and validation procedures for the Credit\n        Reform Models to conform with FASAB Technical Release No. 3 and No. 6 and SBA system\n        development and program change control policies and procedures.\n\n        Recommendation 3C: We recommend that the Chief Information Officer develop the means to\n        actively participate in all phases of system development efforts within the agency.\n\n4.      SYSTEM SOFTWARE CONTROLS\n\nProperly designed system software controls limit and monitor access to programs and files that control\ncomputer hardware and protect applications. We identified security control weaknesses with the network\noperating system that reduce the effectiveness of controls to protect network operations from\nunauthorized activities from internal sources.\n\nOMB Circular A-130, Appendix III, requires agencies to establish and implement adequate technical\nsecurity controls to secure and safeguard data, software, and hardware from theft, misuse, alteration, and\nunauthorized access. Additionally, NIST and the National Security Agency (NSA) have developed\nstandards for securing Windows 2000 environments.\n\nA.      We conducted a scan of SBA\xe2\x80\x99s network to identify and assess the level of risk using a\n        vulnerability scanning tool to identify SANS (SysAdmin, Audit, Network, Security) Institute\n        "Top 20" security vulnerabilities. Our scan assessed whether SBA network servers had been\n        properly configured, and network operating system software had been updated with vendor\n        patches designed to properly address known vulnerabilities. A detailed breakdown of specific\n        weaknesses is in Attachment 4.\n\n        [FOIA Ex. 2]\n\n\n\n        Recommendations 4A and 4B:\n\n        We recommend Chief Information Officer develop and implement a corrective action plan with\n        specific milestones to address network weaknesses identified in Attachment 4 in a timely manner.\n\nC.      In our FY 2002 FISCAM audit, we recommended that SBA enhance policies, procedures, and\n        technical capabilities to monitor the network for suspicious activity. SBA agreed with this\n        recommendation and initially projected a completion date of September 30, 2002. This date was\n        later modified to February 28, 2003.\n\n                                                     8\n\x0c        Although OCIO installed a network intrusion detection system (IDS) and contracted with a\n        vendor to monitor IDS activities and maintain and review all IDS activity logs, OCIO had not\n        developed written policies or procedures to establish requirements and ensure performance.\n\n        We commend OCIO for recognizing the need for installing additional server sensor devices on\n        the network. OCIO plans to add another 20 sensors during FY 2004. OCIO has not, however,\n        performed a security analysis to determine the most effective locations for the sensors.\n\n        Recommendation 4C: We recommend that the Chief Information Officer:\n\n        (1)     Perform a security assessment to determine the most effective placement of the 20 new\n                sensors.\n\n        (2)     Revise the IDS vendor\xe2\x80\x99s contract as necessary for performance factors established in\n                Recommendation No. 4A of this report.\n\nD.      The FY2002 FISCAM report recommended that OCIO develop the means to test for compliance\n        with SBA\xe2\x80\x99s password configuration requirements.\n\n        [FOIA Ex. 2]\n\n\n\n\n5.      SEGREGATION-OF-DUTY CONTROLS\n\nAn appropriately designed organizational structure with well-designed roles and responsibilities will\nminimize the risk that unauthorized actions take place and are not detected.\n\nOMB Circular A-130, Appendix III, requires agencies to establish and implement controls within the\ngeneral control environment and major applications that support the "least privilege" practice. Appendix\nIII also requires establishing and implementing practices to divide steps of critical functions among\nindividuals and establishing practices to keep a single individual from subverting a critical process.\n\nGAO\xe2\x80\x99s FISCAM states:\n\n                Management should have analyzed operations and identified incompatible duties\n                that are then segregated through policies and organizational division. Although\n                incompatible duties may vary from one entity to another, the following functions\n                are generally performed by different individuals: IS management, system design,\n                application programming, systems programming, quality assurance/testing,\n                library management/change management, computer operations, production\n                control and scheduling, data security, data administration, and network\n                administration.\n\nIn addition, FISCAM states that:\n\n                ...it is management\xe2\x80\x99s responsibility to ensure that segregation of duties is established,\n                enforced, and institutionalized within the organization.\n\nA.      Proper separation of duties for changes to JAAMS and FRIS had been identified on the System\n        Implementation Change Control Form used at DFC; these separation-of-duties controls were not,\n\n                                                     9\n\x0c        however, fully enforced by management. Individuals were completing more than one area of the\n        form, thus subverting controls intended to ensure proper separation of duties. Inadequate\n        separation of duties increases the potential for unauthorized code to be implemented and placed\n        into production that could result in unauthorized activities.\n\n        Recommendation 5A: We recommend that the Chief Financial Officer instruct DFC\n        management to take steps necessary to ensure that individuals are not allowed to complete\n        incompatible areas during the system implementation and change process. In addition,\n        management should review all change control forms to verify that proper separation is in place.\n\n6.      SERVICE CONTINUITY CONTROLS\n\nProperly designed service continuity controls increase the assurance that normal business operations can\ncontinue with minimal disruption when unexpected events occur.\n\nOMB Circular A-130, Appendix III, requires an agency to establish and periodically test its capability to\ncontinue to provide services within a system based upon user needs and priorities. Furthermore, agencies\nare required to establish and periodically test the capability to perform agency functions supported by the\napplication in the event of failure of its automated support.\n\nA.      SBA cannot ensure that operations can be brought back within an acceptable period of time in the\n        event of a disaster or disruption in service. We reviewed service continuity plans and procedures\n        at SBA headquarters and field sites at DFC, Sacramento Disaster Area office, and Fresno\n        Commercial Loan Service Center. We noted weaknesses in business resumption plans (BRP) and\n        service continuity policies and procedures at all three field sites.\n\n        The following are specific exceptions noted by field site:\n\n        \xe2\x80\xa2       DFC had not developed or documented a test plan for testing its BRP and had not\n                established a target date for completing testing.\n\n        \xe2\x80\xa2       The Sacramento Disaster Area Office did not have a documented BRP, its tape backup\n                procedures did not meet SBA requirements, and it did not store tapes offsite.\n\n        \xe2\x80\xa2       The Fresno Commercial Loan Service Center had not tested or updated its BRP since\n                2001 and did not have adequate off-site storage of the office\xe2\x80\x99s backup tapes.\n\n        The SBA Headquarters Continuity of Operations Plan (COOP) was successfully tested in March\n        2003. In September 2003, SBA moved the JAAMS general ledger system from Eagan,\n        Minnesota, to a new data processing facility located in Tempe, Arizona. We understand the\n        JAAMS COOP was tested after fieldwork ended.\n\n        Without adequate service continuity controls, SBA has reduced assurance that it can provide an\n        orderly and reasonable recovery process.\n\n        Weaknesses with SBA\xe2\x80\x99s COOP were previously noted in OIG Audit Report No. OIG 02-18. In\n        that report, we recommended that the Chief Operating Officer (COO) complete a formal business\n        impact analysis in support of COOP and ensure the COOP properly addressed the required\n        elements (Recommendation Nos. 6A and 6B). We consider the COO\xe2\x80\x99s actions to date as non-\n        responsive. Additionally, at the exit meeting, the CIO stated that OCIO cannot take responsibility\n        for all facets of SBA\xe2\x80\x99s disaster recovery and business contingency planning and tests.\n\n\n                                                    10\n\x0cRecommendation 6A: We recommend that the Chief Operating Officer develop an agency-\nwide business impact analysis that captures all identified needs within stated recovery times. At a\nminimum, the analysis would identify:\n\n        \xe2\x80\xa2       Critical SBA business processes.\n\n        \xe2\x80\xa2       General support systems and major applications that would be needed in a\n                recovery process to support critical SBA business processes.\n\n        \xe2\x80\xa2       Required recovery time periods.\n\nRecommendation 6B: We recommend that the Chief Operating Officer finalize the draft COOP.\nThe final COOP should include the following items:\n\n        \xe2\x80\xa2       List of personnel and other resources related to the critical system that would be\n                needed in a recovery process.\n\n        \xe2\x80\xa2       Provisions for plan testing by each field office, disaster office, and headquarters\n                at least every 3 years.\n\n        \xe2\x80\xa2       Provisions for annual training on plan execution.\n\n        \xe2\x80\xa2       Requirements for distribution of the plan to appropriate individuals.\n\n        \xe2\x80\xa2       Identification of established contracts with external vendors as necessary to\n                support the business continuity plan and disaster recovery plan.\n\n        \xe2\x80\xa2       Assurance that all field sites have current, documented, and tested business\n                resumption plans in place.\n\n        \xe2\x80\xa2       Provisions to inform all field sites of their responsibilities for keeping the\n                business resumption plans current and tested.\n\n        \xe2\x80\xa2       Provisions to ensure that all field sites adhere to SBA policy requiring backup\n                tapes to be stored offsite.\n\n        \xe2\x80\xa2       Provisions to ensure that BRPs include procedures for safekeeping critical\n                business documents, such as loan files, to ensure their availability.\n\n\n\n\n                                             11\n\x0c                                                                                                        ATTACHMENT 1A\n                                                    SUMMARY OF RESULTS\n\n\nFY 2003 CFO AUDIT INFORMATION SYSTEMS                                                                SYSTEM\nCONTROL REVIEW\n                                                                            OCIO      ALCS       JAAMS       DFC      LANs          Credit\n            GENERAL CONTROL CATEGORIES AND                                  LAS                                       WANs          Reform\n             SPECIFIC CONTROL TECHNIQUES                                                                                            Models\n\nENTITY-WIDE SECURITY PROGRAM CONTROLS\nRisks are periodically assessed.                                              1          1          2          1         1            4\nSecurity program is documented.                                               2          1          2          1         1            4\nSecurity management structure is in place and responsibilities                2          1          2          1         2            4\nassigned.\nA personnel security policy is established.                                   2          1          2          1         1            4\nA security-monitoring program is established.                                 3          2          2          2         3            4\n\nACCESS CONTROLS\nInformation is properly classified.                                           1          1          1          1         1            3\nUser access and privileges are authorized.                                    2          2          2          1         2            2\nPhysical and logical controls prevent and detect unauthorized                 2          2          2          1         3            2\nactivities.\nApparent unauthorized activities are monitored and investigated.              2          2          2          1         3            2\n\nAPPLICATION SOFTWARE DEVELOPMENT AND\nPROGRAM CHANGE CONTROLS\nProgram modifications are documented, reviewed, tested, and                   2          1          2          1         4            3\napproved.\nProgram changes are documented, reviewed, tested, and approved                 2         1          2          1         4            3\nbefore releasing to production.\nMovement of programs in and out of libraries is authorized.                   1          1          2          1         4            3\n\nSYSTEM SOFTWARE CONTROLS\nAccess to system software is limited.                                         2          2          2          1         2            3\nSystem access is monitored.                                                   2          2          2          1         2            3\nChanges to system are authorized and documented.                              1          1          2          1         1            2\n\nSEGREGATION-OF-DUTIES CONTROLS\nIncompatible duties are identified.                                           1          1          2          1         1            3\nSegregation of duties is enforced through access controls.                    2          2          2          1         2            2\nSegregation of duties is enforced through formal operating procedures         2          2          2          1         2            2\nand supervisory review.\n\nSERVICE CONTINUITY CONTROLS\nCritical data and resources for recovery and establishment of                 1          1          2          1         2            1\nemergency processing procedures are identified.\nProcedures exist for effective backup and offsite storage of data and         2          2          1          1         2            2\napplication and system software.\nBusiness contingency and continuity and disaster recovery plans with          2          2          2          2         2            2\nhot-site facilities and annual testing are established.\n\nLEGEND\n1 \xe2\x80\x93 Based on our testing, controls appear to be in place. 2 \xe2\x80\x93 Based on our testing, controls appear to be in place, but not fully\nimplemented. 3 \xe2\x80\x93 Based on our testing, controls appear to not be in place. 4 - Control not applicable.\n\n                                                                   12\n\x0c                                                                                            ATTACHMENT 1B\n\n\n\n       APPLICATION CONTROL CATEGORIES AND                                      JAAMS         DCLS          FRIS\n           SPECIFIC CONTROL TECHNIQUES\n\nAUTHORIZATOIN CONTROLS\nAll data are authorized before entering the application system.                    1            1             1\nRestrict data entry terminals to authorized users for authorized purposes.         4            4             4\nMaster files and exception reporting help ensure all data processed are            2            1             1\nauthorized\n\nCOMPLETENESS CONTROLS\nAll authorized transactions are entered into and processed by the                  2            2             2\ncomputer.\nReconciliations are performed to verify data completeness.                         1            1             1\n\nACCURACY CONTROLS\nData entry design features contribute to data accuracy.                            1            1             1\nData validation and editing are performed to identify erroneous data.              2            2             2\nErroneous data are captured, reported, investigated, and corrected.                3            2             2\nReview of output reports helps maintain data accuracy and validity.                2            2             2\n\nCONTROLS OVER INTEGRITY OF PROCESSING AND\nDATA FILES\nProcedures ensure that the current versions of production programs and              2            2              4\ndata files are used during processing.\nPrograms include routines to verify that the proper version of the computer         1            2              4\nfile is used during processing.\nPrograms include routines for checking internal file header labels before           1            2              4\nprocessing.\nThe application protects against concurrent file updates.                           1            2              4\nLEGEND\n1 \xe2\x80\x93 Based on our testing, controls appear to be in place. 2 \xe2\x80\x93 Based on our testing, controls appear to be in place,\nbut not fully implemented. 3 \xe2\x80\x93 Based on our testing, controls appear to not be in place. 4 - Control not applicable.\n\n\n\n\n                                                          13\n\x0c                                                                                           ATTACHMENT 2\n\n                         AUDIT OF INFORMATION SYSTEM CONTROLS\n                                       FOR FY 2003\n                      STATUS OF PRIOR-YEAR AUDIT RECOMMENDATIONS\n\n\nCondition                                Recommendation                                          Status as of\n                                                                                                 9/30/03\n1 A: SBA has not recognized the          Recommendation 1A: We recommend that the Chief          Partially Complete\nNFC payroll/personnel system as a        Human Capital Officer in conjunction with OCIO\nmajor agency application and             designate the NFC payroll/personnel system as a\ntherefore has not established a          critical system and then proceed to develop an\nsystem security plan, risk assessment,   application systems security plan, risk assessment,\nand accreditation or approval for        and accreditation plan for the system.\nsystem use.\n B: SBA has not developed an             Recommendation 1B: We recommended in our                     Closed\nAgency-wide integrated security plan     Information System Controls Report for FY 2001\nfor implementing and integrating         (OIG 02-18) that SBA develop an agency-wide\nSOP requirements into OCIO\xe2\x80\x99s             security plan, in accordance with Section 5.8 of the\nsecurity program, as required by         Information Technology Architecture Plan. SBA\nSection 5.8.1 of SBA\xe2\x80\x99s FY 2000           agreed with this recommendation and projected a\nInformation Technology Architecture      completion date of September 30, 2003.\nPlan.\n\nC: The Office of Human Capital           Recommendation 1C: We recommended in our                      Open\nManagement (OHCM) has not                Information System Controls Report for FY 2001\ndefined personnel consequences for       (OIG 02-18) that SBA develop personnel policies\nnon-compliance with security             and procedures consistent with and in support of\npolicies and procedures and rules of     defined rules of behavior for general support systems\nbehavior.                                and major applications. SBA agreed with this\n                                         recommendation and initially projected a completion\n                                         date of December 1, 2002. This date was later\n                                         modified to January 31, 2003.\n\n\n\n\nD: SBA does not obtain signed non-       Recommendation 1D: We recommended in our\ndisclosure agreements from SBA and       Information Systems Controls Report for FY 2001              Closed\ncontractor personnel who handle          (OIG 02-18) that SBA develop non-disclosure and\nsensitive data.                          security awareness agreements that agency and\n                                         contractor personnel will be required to sign. SBA\n                                         agreed with this recommendation and initially\n                                         projected a completion date of December 1, 2002.\n                                         This date was later modified to February 28, 2003.\n\n[FOIA Ex. 2]                             [FOIA Ex. 2]                                                  Open\n\n\n\nB: OCIO and OHCM have                    Recommendation 2B: We recommended in our                      Open\nundocumented procedures for              Information Systems Controls Report for FY 2001\ninforming security personnel of staff    (OIG 02-18) that OCIO and OHCM formally\nseparations. By using informal           document staff separation procedures. SBA agreed\nseparation procedures, the risk of an    with this recommendation and initially projected a\nunauthorized user having access to a     completion date of November 1, 2002. This date was\n                                                      1\n\x0cCondition                                Recommendation                                           Status as of\n                                                                                                  9/30/03\nsystem is increased.                     later modified to February 20, 2003.\n\nC: OCIO has not adequately               Recommendation 2C: We recommended in our                        Open\ndeveloped and provided technical         Information System Controls Report for FY 2001\ntraining for personnel performing        (OIG 02-18) that SBA develop and implement\nsecurity administration activities       technical training for security staff and all network\neither at the network or application     and application security administrators. SBA agreed\nlevel.                                   with this recommendation and initially projected a\n                                         completion date of November 1, 2002. This date was\n                                         later modified to December 1, 2003.\n\n[FOIA Ex. 2]                             [FOIA Ex. 2]                                             Partially Complete\n\n\n\n\nE: The LAS security software             Recommendation 2E: We recommended in our                       Closed\nmodule continues to permit field         Information System Controls Report for FY 2001\noffice LAS security officers to view     (OIG 02-18) that SBA change the LAS security\neach user\xe2\x80\x99s password in the clear,       module to prevent the LAS security administrator\nthereby violating the security           from viewing passwords in plain text and to enable\nrequirement that only the user has       the administrator to re-set user passwords. On\nknowledge of the password. LAS           January 31, 2003 SBA reported full corrective action\nscreen SSDD04, which allows LAS          had been completed.\nusers to change their own passwords,\nwas not widely known or used by\nSBA employees. Furthermore, LAS\nsecurity officers are unable to re-set\nuser passwords.\n\n3 A: As noted in the prior-year,         Recommendation 3A: We recommended in our                     Partially\nalthough members of the OCIO             Information System Controls Report for FY 2001               Complete\nsecurity team were involved during       (OIG 02-18) that the CIO enhance system\nJAAMS development, the security          development procedures to ensure that security\nteam was not involved throughout         personnel actively participate in all phases of system\nthe entire process. OCIO did not         development. SBA agreed with this recommendation\ndevelop a plan to identify and guide     and projected a completion date of May 30, 2003.\nits participation during the JAAMS\ndevelopment. Additionally, OCIO\ndid not develop procedures to ensure\nthat actions were taken in a timely\nmanner. The Information\nTechnology Architectural Plan,\nSection 4.4.1, Application\nArchitecture Design Principles, and\nSection 5.4, Application\nArchitecture, require that\napplications be designed and\ndeveloped to incorporate IT security\n                                                        2\n\x0cCondition                                 Recommendation                                          Status as of\n                                                                                                  9/30/03\npolicies at the beginning and\nthroughout the System Development\nLife Cycle (SDLC).\n\n3 B: As noted in the prior-year,          Recommendation 3B: We recommended in our                      Closed\nprogram changes to the SBG system         Information System Controls Report for FY 2001\nwere not recorded in the tracking list    (OIG 02-18) that the CIO enhance configuration\nof program changes, even though           management procedures to modify the user request\nindividual documentation was              form to include a check-off and identification block.\navailable.                                SBA agreed with this recommendation and initially\n                                          projected a completion date of August 1, 2002. This\n                                          date was later modified to March 31, 2003.\n\n4 A: In our previous audit, we            Recommendation 4A: We recommend that the                Partially completed\nrecommended that SBA enhance              Chief Information Officer fully implement the\npolicies, procedures and technical        planned upgraded intrusion detection system and\ncapabilities to monitor the network       reporting/monitoring tools. Additionally, we\nfor suspicious activity. SBA agreed       recommend that the Chief Information Officer\nwith this recommendation and              develop a rule base and procedures for monitoring\ninitially projected a completion date     network activity and create and document escalation\nof September 30, 2002. This date          procedures and timelines for reporting suspicious\nwas later modified to February 28,        activity to OCIO security. Further, we recommend\n2003. [FOIA Ex. 2]                        that Chief Information Officer test escalation\n                                          procedures to ensure that responsible personnel\n                                          report questionable activities in a timely manner.\nIneffective software monitoring tools\nand escalation procedures impair the\nability to detect unusual activities on\nthe network and provide an intruder\nwith opportunity and time to gain\nunauthorized access to sensitive and\nhighly privileged accounts. The\nresult could be unauthorized\nmodification, destruction, or release\nof SBA data. In our previous-year\naudit, we recommended that SBA\nenhance policies, procedures, and\ntechnical capabilities to monitor the\nnetwork for suspicious activity.\n\n                                                                                                         Open\n[FOIA Ex. 2]                                   [FOIA Ex. 2]\n\n\n\n                                                                                                         Open\n[FOIA Ex. 2]                                  [FOIA Ex. 2]\n\n\n\n\n[FOIA Ex. 2]                                  [FOIA Ex. 2]                                               Open\n\n\n\n\n                                                      3\n\x0cCondition                                 Recommendation                                            Status as of\n                                                                                                    9/30/03\nE: OCIO has not completed an              Recommendation 4E: We recommend that the                        Closed\ninterim certification and accreditation   Chief Information Officer develop and implement\nprior to implementation of                procedures to require that an interim certification be\nWindows 2000.                             completed for operating systems and applications\n                                          before implementation. Further, we recommend that\n                                          the Chief Information Officer complete a full\n                                          certification and accreditation of Windows 2000.\n\nF: The OCIO has not applied the           Recommendation 4F: We recommend that the                        Open\nmost recent relevant patches to the       Chief Information Officer adhere to the policies\nWindows 2000 operating system.            previously developed and apply all relevant\nWhile OCIO has developed                  appropriate patches necessary to bring Windows\nprocedures related to obtaining,          2000 up to the current patch version as recommended\ntesting and applying software patches     by the vendor.\nas they are released, these procedures\nare not being consistently followed\nG: Administrators and security            Recommendation 4G We recommended in our                         Open\npersonnel are not adequately trained      Information System Controls Report for FY 2001\nto allow them to fully understand         (OIG 02-18) that OCIO provide appropriate training\ntheir responsibilities and handle         and periodic retraining to security personnel and\npossible security violations.             administrators to allow them to perform security\n                                          responsibilities effectively. SBA agreed with this\n                                          recommendation and projected a completion date of\n                                          March 31, 2003. Therefore, we are making no\n                                          recommendation at this time.\n\nA: We noted an instance in which          Recommendation 5A: We recommend that the                       Closed\nsystem programmers have access to         Chief Financial Officer either restrict programmer\nthe development environment as well       access to the production environment and preclude\nas the production environment.            programmers from independently installing new\nSpecifically, we noted the SBA            software or develop alternative control procedures to\nOffice of Financial Systems (OFS)         manage the risk of developers having access to the\nprogrammers have access to the            production environment.\nJAAMS production environment.\nFurthermore, we did not note any\ncompensating control to this\nsegregation-of-duty issue.\n\nB: Several district office and            Recommendation 5B: We recommended in our                       Closed\nservicing center LAS security             Information System Controls Report for FY 2001\nadministrators continue to have LAS       (OIG 02-18) that SBA preclude LAS security\nuser accounts for themselves in           administrators from establishing individual user\naddition to their highly privileged       accounts for themselves. SBA responded that certain\nadministrator accounts.                   LAS security administrators cannot be precluded\n                                          from establishing individual user accounts for\n                                          themselves due to the size of the offices where they\n                                          work and that performing security administrator\n                                          functions are a collateral duty. SBA implemented\n                                          LAS program edits to prevent the same user ID from\n                                          performing multiple functions on the same loan.\n                                          Therefore, SBA has accepted the risk of allowing\n                                          certain users to perform inherently conflicting duties.\n\n\n\n\n                                                       4\n\x0cCondition                                 Recommendation                                           Status as of\n                                                                                                   9/30/03\nA: SBA has not completed a formal          Recommendation 6A: We recommend that the                       Open\nbusiness impact analysis in support        Chief Operating Officer develop an agency-wide\nof its COOP. Additionally, the             business impact analysis that captures all identified\nCOOP is still in draft stage.              needs within stated recovery times. At a minimum,\n                                           the analysis would identify:\n                                                 \xe2\x80\xa2    Critical SBA business processes.\n                                                 \xe2\x80\xa2    General support systems and major\n                                                      applications that would be needed in a\n                                                      recovery process to support critical SBA\n                                                      business processes.\n                                                 \xe2\x80\xa2    Required recovery time periods.\n\n6 B: SBA\xe2\x80\x99s current draft COOP does        Recommendation 6B: We recommend that the                       Open\nnot contain other critical elements of    Chief Operating Officer follow the formal process\na COOP.                                   outlined above, make changes to the current COOP\n                                          as necessary, and finalize the draft COOP. The final\n                                          COOP should include the following items:\n                                                  \xe2\x80\xa2   List of personnel and other resources\n                                                      related to the critical system that would\n                                                      be needed in a recovery process.\n                                                  \xe2\x80\xa2   Provisions for annual plan testing.\n                                                  \xe2\x80\xa2   Provisions for annual training on plan\n                                                      execution.\n                                                  \xe2\x80\xa2   Distribution of the plan to appropriate\n                                                      individuals.\n                                                  \xe2\x80\xa2   Identification of established contracts\n                                                      with external vendors as necessary to\n                                                      support the business continuity plan and\n                                                      disaster recovery plan.\n\n7 A: SBA\'s mainframe computer             Recommendation 7A: We recommended in our                       Open\noperations disaster recovery hot-site     Information System Controls Report for FY 2001\ntest did not include a test of the        (OIG 02-18) that OCIO revise current contractual\ncommunication linkage between             agreements with its communication supplier to\nheadquarters and the hot-site facility.   include setting up a temporary dedicated line\n                                          between headquarters or a major business center and\n                                          the hot-site mainframe recovery facility in the event\n                                          of a problem. OCIO agreed with this\n                                          recommendation and projected a completion date of\n                                          July 1, 2003.\n\n7 B: Weak mainframe computer              Recommendation 7B: We recommended in our                       Open\noperation control increases the risk of   Information System Controls Report for FY 2001\nlost LAS data and data processing         (OIG 02-18) that SBA enter into an agreement with\ncapability and hinders SBA\xe2\x80\x99s ability      the third-party mainframe service provider to correct\nto carry out its daily functions. We      identified weaknesses and allow periodic reviews of\nidentified physical and management        controls by SBA representatives. SBA agreed with\naccess control weaknesses with the        this recommendation and projected a completion date\nmainframe computer data processing        of March 31, 2003.\ncenter and computer room.\nSpecifically, we identified the           We also recommended in our Information System\nfollowing conditions:                     Controls Report for FY 2001 (OIG 02-18) that SBA\n                                          continue to pursue with the General Services\n                                          Administration a requirement for the third-party\n                                                       5\n\x0cCondition                                Recommendation                                           Status as of\n                                                                                                  9/30/03\nFacility management has not              mainframe service provider to undergo an annual\nestablished internal control to ensure   SAS 70 type of audit of its data processing facility\nthat:                                    and make audit results available to SBA. SBA\n                                         agreed with this recommendation and projected a\n     \xe2\x80\xa2   Console logs are reviewed       completion date of August 31, 2005.\n          on a regular basis.\n     \xe2\x80\xa2    Only current employees\n          have console user accounts.\n     \xe2\x80\xa2    Console account passwords\n          comply with SOP 90-47.\n\n8 A: Only authorized transactions        Recommendation 8A: We recommend that the                       Closed\nshould be entered into the application   Chief Financial Officer in conjunction with OCIO\nsystem and processed by the              develop rules of behavior for JAAMS and update the\ncomputer.                                application security plan.\n\nA written authorization (certification\nand accreditation) to operate JAAMS\nwas not completed until December\n2002. Also, application-specific\nrules of behavior do not exist. The\nJAAMS security plan, written during\ndevelopment, has not been updated.\n\n\nB: A formal business recovery plan       Recommendation 8B: We recommend that the\nfor JAAMS does not exist.                Chief Financial Officer in conjunction with OCIO               Closed\n                                         develop a JAAMS-specific business continuity plan,\n                                         communicate plan requirements to all impacted\n                                         employees, contractors, and vendors and update\n                                         underlying service-level agreements to reflect those\n                                         requirements.\n\n\nD: All authorized transactions should    Recommendation 8J: We recommend that the Chief                 Closed\nbe entered into and completely           Financial Officer create and implement policies and\nprocessed by the computer.               procedures to research and resolve all items\n                                         outstanding in suspense, rejection, and error accounts\nThree suspense files have unresolved     older than 60 days.\ntransactions over 30 days old. The\nmost significant of these was the\naccounts payable suspense file with\nover 1,000 unresolved transactions\nworth over $1 million.\n\nE: SBA inadvertently issued four         Recommendation 8K: We recommend that the                       Closed\nduplicate payments to grant              Chief Financial Officer ensure that formal\nrecipients. The funds were later         documented procedures exist to eliminate the re-\nidentified and retrieved. The            occurrence of duplicate payments.\nduplicate payments appear to have\nbeen caused by a lack of documented\nprocedures relating to a specific\noccurrence in the accounts payable\ndaily close process. During the close\nprocess, SBA attempted to cancel a\n\n                                                      6\n\x0cCondition                                Recommendation                                         Status as of\n                                                                                                9/30/03\nbatch accounts payable submission.\nWhen the submission was canceled,\nfour payments were still processed.\nSBA personnel were unaware that\nthese four payments were processed.\nThis error could have been\nimmediately identified with\ndocumented procedures instructing\nthe employee to verify that no\npayments were processed. SBA does\nnot, however, have documented\nprocedures on how or what to do\nwhen a batch submission is cancelled\nin the accounts payable module. We\nhave been informed that procedures\nhave been verbally updated to ensure\nthat duplicate payments are not\nprocessed again through the accounts\npayable close process.\n\nF: Funds availability in the JAAMS       Recommendation 8L: We recommend that the                     Closed\nbudget module is erroneously             Chief Financial Officer provide training and\nfluctuating when end users input         strengthen edits and validations related to funds\nincorrect transaction codes. This        availability and related procurement and accounts\nerror appears to be partially caused     payable transaction codes to prevent the \xe2\x80\x9cmovement\xe2\x80\x9d\nby inadequate end-user training and      of funds availability.\nincomplete edit and validation\nchecks.\n\nG: Cancellation or final closure of a    Recommendation 8M: We recommend that the                     Closed\ndocument is designed to cause the        Chief Financial Officer follow up with Oracle to\nrelated commitment or obligation to      resolve the issue of funds not being released when a\nreverse, and funds to become             document is cancelled.\navailable once again. This does not,\nhowever, always happen. Therefore,\nin such cases, the general ledger must\nbe fully researched and corrected.\n\nH: The OCFO has not applied the          Recommendation 8N: We recommend that the                     Closed\nmost recent patches to JAAMS .           Chief Financial Officer adhere to the policy\nWhile OCIO has developed                 developed by OCIO and apply all patches necessary\nprocedures related to obtaining,         to bring JAAMS up to the current patch version as\ntesting and applying software patches    recommended by the vendor.\nas they are released, these procedures\nare not being consistently followed.\n\n\n\n\n                                                     7\n\x0c         ATTACHMENT 3: MANAGEMENT COMMENTS AND OUR EVALUATION\n\n\nThe Chief Operating Officer, Chief Information Officer, Chief Financial Officer, and Chief Human\nCapital Officer provided a consolidated response to the draft report. SBA management generally agreed\nwith recommendations except for recommendations 3B. We have incorporated their comments in this\nreport as appropriate and included their comments and our evaluation of the comments on the following\npages.\n\n\n\n\n                                                  1\n\x0c                                                                              ATTACHMENT 3A\n\n                       U.S. SMALL BUSINESS ADMINISTRATION\n                              WASHINGTON, D.C. 20416\n\n\n\n\nDate:          April 8, 2004\n\nTo:            Robert G. Seabrooks\n               Assistant Inspector General for Auditing\n\nFrom:          Stephen D. Galvan /S/\n               Chief Operating Officer/Chief Information Officer\n\nSubject:       Response to Draft Audit of SBA\xe2\x80\x99s Information Systems Controls\n\n   Attached is SBA\'s response to the draft audit report titled, "Audit of SBA\'s Information\nSystem Controls," which recommends way to improve Agency information system general and\napplication controls. Based on GAO\'s categorization of information system controls, the draft\nreport reviews and discusses the following areas:\n\n  1.   Entity-wide security program controls,\n  2.   Access controls,\n  3.   Application software development and program change controls,\n  4.   System software controls,\n  5.   Segregation of duty controls, and\n  6.   Service Continuity Controls.\n\n  In general, SBA agrees with the majority of the recommendations, though not necessarily the\nspecific recommended corrective action(s) identified in response to cited deficiencies. Once the\nOIG publishes the final report, we will include projected timelines for completing the corrective\nactions as part of the Agency\'s response. In the attached response, we have summarized the\nessence of each audit recommendation, followed by our response.\n\n\n\n\nAttachment a/s\n\n\n\n                                                2\n\x0c                                                                                  Attachment 3A\n\n\n                     OIG Recommendations and SBA Responses\n\nEntity Wide Program Controls \xe2\x80\x93 SBA should assign higher priority to resolving audit\nrecommendations, implementing corrective actions, and providing CIO with sufficient resources\nto minimize entity-wide security program weaknesses as required in statute.\n\nRecommendation 1A: (1) SBA\'s Administrator should ensure that sufficient resources are\nprovided to OCIO to meet its responsibilities under statute and OMB circulars, and (2) CIO\nshould revise and enhance existing policies and procedures to ensure that proper control\nweaknesses are resolved, monitoring is effective, technical training made available, existing skill\nsets sufficient to the tasks, and Office of Chief Information Officer (OCIO) participating in all\nphases of system development.\n\nResponse: SBA agrees with the two recommendations and has already begun to implement\nthem. For example, the SBA Administrator has reorganized the OCIO to report directly to him,\nassigned the security functions to a separate division within the OCIO raising its visibility,\nincreased the priority assigned to information technology and systems control by designating the\nChief Operating Officer (COO) the dual responsibility of COO and CIO, and supported increases\nin staff and budget for CIO security functions. Assigning the dual responsibility of COO and\nCIO to one person serves to integrate the IT and security functions more fully into Agency line\nprograms. Furthermore, the COO co-directs the performance monitoring process within the\nAgency (i.e.. Execution Scorecard), which ensures that we place sufficient priority on resolving\ncontrol weaknesses and execution of sound internal management principles.\n\nOCIO is also currently revising its policies and procedures that relate to its certification and\naccreditation reviews and establishing monitoring systems to track implementation of corrective\nactions, offer project management training to all Agency project managers, and negotiate\npartnership agreements to define OCIO involvement and commitment with program \xe2\x80\x9cowners\xe2\x80\x9d at\nthe earliest phases of system development.\n\nRecommendation 1B: CIO should (1) develop policies and procedures to ensure system owners\nfix weaknesses (2) ensure that plans resolve weaknesses and that effective follow up procedures\nare developed for corrective action plans, and (3) ensure that sufficient resources are made\navailable to monitor system owner corrective action plans.\n\nResponse: We agree with recommendation 1B and will develop appropriate policies and\nprocedures. For major weaknesses, we are including corrective actions into the Agency\nScorecard to enable senior management to monitor progress and to ensure corrective actions and\nexecute them in a timely and effective manner. The COO has assigned a senior staff member to\ntrack OIG and GAO management weaknesses and execution of corrective actions. Together with\nimplementation of the monthly Scorecard monitoring process, SBA will significantly improve its\ninternal management processes.\n\n\n                                                 3\n\x0c2. Access Controls\xe2\x80\x94ineffective controls over the network administration and financial\n   application accounts make SBA vulnerable to unauthorized modification, loss,\n   destruction and disclosure.\n\nRecommendation 2A: [FOIA Ex. 2]\n\nResponse: [FOIA Ex. 2].\n\nRecommendation 2B: CFO should ensure that the Director of DFC establishes adequate physical\nsecurity for routers.\n\nResponse: As included in separate response to the draft audit, CFO agrees with the\nrecommendation and OCIO and DFC will determine the best way to improve the physical\nsecurity for the routers.\n\nRecommendation 2C: CIO should (1) [FOIA Ex. 2], (2) create new network accounts for non-\nHQ network administrators, and (3) perform periodic reviews of highly-privileged accounts.\n\nResponse: CIO agrees with the recommendation to exercise close scrutiny over who continues to\nhave "domain admin" privileges and special accounts and to continue to review the need. It\nshould be noted, however, that at this time senior management has determined that the current\n59 accounts are necessary to execute required job functions.\n\n3. Application Software Development & Program Change Controls\xe2\x80\x94change control\n   policies and procedures are not being followed, which makes SBA vulnerable to\n  unauthorized programs or modifications (JAAMS and FRIS)\n\nRecommendation 3A: CFO should require OFM to ensure that all change control forms are\ncomplete before changes are released in the production environment.\n\nResponse: CFO agrees with this recommendation.\n\nRecommendation 3B: CFO should comply with change control test, acceptance, and validation\nprocedures in SBA\'s SDM for all credit reform models.\n\nResponse: As described in separate response to this draft audit, CFO disagrees with this\nrecommendation for three reasons; namely, (1) OMB has determined that credit subsidy\nmodels are not systems, (2) SBA has a Business Technology Investment Council (BTIC) process\nto determine what is a system and what is reported on Exhibit 300s and 53s, and (3) other credit\nagencies do not subject their subsidy models to these "systems" requirements.\nRecommendation 3C: CIO should develop the means to actively participate in all phases of\nsystem development in the Agency.\n\n\n\n\n                                               4\n\x0cResponse: CIO agrees with this recommendation and has taken the following steps: (1)\nReinvigorated the BTIC process (chaired by the Deputy CIO), where the Agency can prioritize\nand approve development of its systems and ensure that the appropriate offices are collaborating\nin the development, (2) Ensured that Information Technology efforts are included in the\nExecution Scorecard monitoring process, and (3) Developed a partnership modeling process\nwhereby program offices sign performance agreements with OCIO to establish performance\ngoals and commitment levels from the onset of systems design efforts.\n\n4. System Software Controls \xe2\x80\x94 Security weaknesses with the network, vendor patches,\n   and improperly configured servers make SBA vulnerable to unauthorized activities\n   from internal sources.\n\nRecommendation 4A and 4B: CIO should implement corrective actions to address weaknesses\nidentified in Attachment 4 (separate document) and develop policies for monitoring the network\nfor suspicious activity.\n\nResponse: CIO agrees with the recommendations.\n\nRecommendation 4C: CIO should perform a security analysis to determine the most effective\nlocation for server sensors and revise the IDS vendor\'s contract to comply with recommendations\nin this report.\n\nResponse: CIO agrees with the need to perform a security analysis, but will determine\nappropriate performance and metrics for security related activities, including and needed contract\nmodifications.\n\nRecommendation 4D: [FOIA Ex. 2].\n\n\n\n\n                                                5\n\x0c5. Segregation of Duty Controls \xe2\x80\x93 SBAA has not fully implemented separation-of-duty\n   controls for changes to JAAMS and FRIS used at DFC.\n\nRecommendation 5A: CFO should instruct DFC management to ensure that appropriate\nprocedures are followed in change processes and that management should review all change\ncontrol forms.\n\nResponse: CFO agrees with this recommendation and will respond in detail to the OIG upon\nreceipt of the final FISCAM report.\n\n6. Service Continuity Controls\xe2\x80\x94SBA cannot ensure that disruption in service is\n   minimized in event of disaster and has weaknesses in its continuity of operations plan.\n\nRecommendation 6A: COO should develop a business impact analysis that captures all identified\nneeds within stated recovery times for the Continuity of Operations Plan (COOP) and finalize the\ndraft COOP.\n\nResponse: COO agrees with the recommendation and will do a business impact assessment that\ndefines SBA critical business processes, identifies general support systems that need recovery\nprocesses, and stipulate required recovery time periods. We will also work with GSA, other\nfederal agencies, and the OIG to determine the appropriate components of the COOP and to\nensure effective implementation based on guidelines developed in the ongoing OIG audit of our\nCOOP.\n\n\n\n\n                                               6\n\x0c                                                                             ATTACHMENT 3B\n\n                            U.S. Small Business Administration\n                               Office of the Chief Financial Officer\n                                     Washington, D.C. 20416\n\n\n\nTo:            Robert G. Seabrooks\n               Assistant Inspector General for Auditing\n\nFrom:          Thomas Dumaresq /S/\n               Chief Financial Officer\n\nDate:          April 5, 2004\n\nRe:            Response to Fiscal Year 2003 Federal Information Systems Controls Audit\n               Manual (FISCAM) report\n\n\nThis is a response to the draft report issued by the Office of the Inspector General (OIG)\n"Areas for Improvement in Information System Controls - Fiscal Year 2003 Financial\nStatement Audit\xe2\x80\x9d.\n\nThe Office of the Chief Financial Officer received three recommendations related to Denver\nbased financial systems (recommendations 2B, 3A and 5A). These recommendations relate to\nthe physical security, change control, and access to these systems. Generally, we agree with\nthese recommendations and we will respond in detail upon the receipt of the final FISCAM\nreport.\n\nRecommendation 3B on SBA\'s credit subsidy models was for the Chief Financial Officer to\ncomply with change control test, acceptance, and validation procedures in SBA\'s Systems\nDevelopment Manual for all credit reform models that have been rebuilt or have undergone\nsignificant change. We disagree with this recommendation for three reasons. 1) The Office of\nManagement and Budget (OMB) recently determined that credit subsidy models are not\n"systems" for the purpose of the systems requirements governing change control test,\nacceptance, and validation procedure. We agree with OMB\'s position and think it inappropriate\nto classify SBA\'s subsidy models as a system. 2) SBA has an established Business Technology\nInvestment Council (BTIC) composed of senior management and board members; the council is\nled by the Chief Information Officer/Chief Operating Officer. Through the activities of the\nBTIC, SBA determines the classifications of systems which are ultimately reported on SBA\'s\nExhibit 53 and Exhibit 300 submissions to OMB. The classification of systems is internal to the\nagency. 3) Finally, based on our research, other Federal credit agencies do not subject their\nsubsidy models to these "system" requirements.\n\n\n\n\n                                                 7\n\x0cWe have also reviewed Attachments 1A and 1B that use the green/yellow/red color scheme to\ndepict the FISCAM audit results. As agreed upon, all the red-colored boxes under the JAAMS\ncolumn will be changed to yellow. We have had positive discussions with Cotton & Company\nand OIG on the attachments and believe that we should strive for a clearer representation of the\nsummary results and its associated colors based on the findings in the FISCAM report.\n\nI thank you for the opportunity to respond to the audit report. We are looking forward to\ncontinuing to work with the Office of the Inspector General on future audits.\n\n\n\n\n                                                8\n\x0c                          Audit of SBA\xe2\x80\x99s Information System Controls\n                                         April 15, 2004\n                             COO/OCIO/OHCM/OCFO Response\n              (Certain Recommendations were renumbered from the Draft Report)\n1. Entity-Wide Security Program Controls\n\nRecommendation 1A: SBA agrees with the two recommendations and has already begun to\nimplement them. For example, the SBA administrator has reorganized the OCIO to report directly\nto him, assigned the security functions to a separate division within the OCIO raising its visibility,\nincreased the priority assigned to information technology and systems control by designating the\nChief Operating Officer (COO) the dual responsibility of COO and CIO, and supported increases\nin staff and budget for CIO security functions. Assigning the dual responsibility of COO and CIO\nto one person serves to integrate the IT and security functions more fully into Agency line\nprograms. Furthermore, the COO co-directs the performance monitoring process within the\nAgency (i.e., Execution Scoreboard), which ensures that we place sufficient priority on resolving\ncontrol weaknesses and execution of sound internal management principles.\n\nRecommendation 1B: OCIO is also currently revising its policies and procedures that relate to its\ncertification and accreditation reviews and establishing monitoring systems to track\nimplementation of corrective actions, offer project management training to all Agency project\nmanagers, and negotiate partnership agreements to define OCIO involvement and commitment\nwith program \xe2\x80\x9cowners\xe2\x80\x9d at the earliest phases of system development.\n\nRecommendation 1C: We agree with recommendation 1B [1C] and will develop appropriate\npolicies and procedures. For major weaknesses, we are including corrective actions into the\nAgency Scorecard to enable senior management to monitor progress and to ensure corrective\naction. The COO meets regularly with each senior manager to discuss OIG suggested corrective\nactions and execute them in a timely and effective manner. The COO has assigned a senior staff\nmember to track OIG and GAO management weaknesses and execution of corrective actions.\nTogether with implementation of the monthly Scorecard monitoring process, SBA will\nsignificantly improve its internal management processes.\n\n2. Access Controls\n\nRecommendation 2A: CIO agrees with each of the elements in the above recommendation and\nwill determine the most cost effective, systematic, and ongoing way for implementing them\nwithout jeopardizing daily operations.\n\nRecommendation 2B: As included in a separate response to the draft audit, CFO agrees with the\nrecommendation and OCIO and DFC will determine the best way to improve the physical security\nfor the routers.\n\nRecommendation 2C: [FOIA Ex. 2]\n\n\n3. Application Software Development and Program Change Controls\n\nRecommendation 3A: CFO agrees with this recommendation.\n\nRecommendation 3B: We disagree with this recommendation for three reasons. 1) The Office of\n\n\n\n                                                      1\n\x0cManagement and Budget (OMB) recently determined that credit subsidy models are not \xe2\x80\x9csystems\xe2\x80\x9d\nfor the purpose of the systems requirements governing change control test, acceptance, and\nvalidation procedure. We agree with OMB\xe2\x80\x99s position and think it inappropriate to classify SBA\xe2\x80\x99s\nsubsidy models as a system. 2) SBA has an established Business Technology Investment Council\n(BTIC) composed of senior management and board members; the council is led by the Chief\nInformation Officer/Chief Operating Officer. Through the activities of the BTIC, SBA determines\nthe classification of systems which are ultimately reported on SBA\xe2\x80\x99s Exhibit 53 and Exhibit 300\nsubmissions to OMB. The classification of systems is integral to the agency. 3) Finally, based on\nour research, other federal credit agencies do not subject their subsidy models to these \xe2\x80\x9csystems\xe2\x80\x9d\nrequirements.\n\nCotton & Company Comments to SBA Response\n\nCotton & Company does not agree with the CFO response to recommendation 3B in the Draft\nReport. However, Cotton & Company along with OIG modified finding 3B to reflect only the\nissues of non-conformance in SBA\xe2\x80\x99s Credit Reform Models identified in FASAB Technical\nRelease 3 and 6. Cotton & Company removed its characterization of SBA\xe2\x80\x99s credit models as a\n"financial system" because such characterization was not essential to support our recommendation.\nWe do, however, consider SBA\xe2\x80\x99s credit models to fit clearly within OMB\xe2\x80\x99s "financial system"\ndefinition (see Circular A-127).\n\nRecommendation 3C: CIO agrees with this recommendation and has taken the following steps:\n(1) Re-invigorated the BTIC process (chaired by the Deputy CIO), where the Agency can\nprioritize and approve development of its systems and ensure that the appropriate offices are\ncollaborating in the development, (2) Ensured that Information Technology efforts are included in\nthe Execution Scorecard monitoring process, and (3) Developed a partnership modeling process\nwhereby program offices sign performance agreements with OCIO to establish performance goals\nand commitment levels from the onset of systems design efforts.\n\n4. System Software Controls\n\nRecommendation 4A and 4B: CIO agrees with the recommendations.\n\nRecommendation 4C: CIO agrees with the need to perform a security analysis, but will determine\nappropriate performance and metrics for security related activities, including any needed contract\nmodifications.\n\nRecommendation 4D and 4E: [FOIA Ex. 2]\n\n\nRecommendation 4F: CIO partially agrees with this recommendation. We note for the OIG,\nhowever, that NIB currently does not have the skill set or tools to administer this task on our\nnetwork. CIO will review the option of assigning the Security Branch to conduct the network test\non SBA\xe2\x80\x99s environment. Subsequently, NIB will address any identified vulnerabilities.\n\n5. Segregation-of-Duty Controls\n\nRecommendation 5A: CFO agrees with this recommendation and will respond in detail to the\nOIG upon receipt of the final FISCAM report.\n\n\n\n\n                                                    2\n\x0c6. Service Continuity Controls\n\nRecommendation 6A: COO agrees with the recommendation and will do a business impact\nassessment that defines SBA critical business processes, identifies general support systems that\nneed recovery processes, and stipulates required recovery time periods.\n\nRecommendation 6B: We will also work with GSA, other federal agencies, and the OIG to\ndetermine the appropriate components of the COOP and to ensure effective implementation based\non guidelines developed in the ongoing OIG audit of our COOP.\n\n\n\n\n                                                     3\n\x0c                                                     ATTACHMENT 5\n\n\n                               REPORT DISTRIBUTION\n\nRecipient                                             Copies\n\n\nAssociate Deputy Administrator for\n  Management & Administration                            1\n\nGeneral Counsel                                          3\n\nGeneral Accounting Office                                1\n\nOffice of the Chief Financial Officer\n  Attention: Jeff Brown                                  1\n\x0c'